Share via

What Azure storage service has the User-Agent tag of 'services_xstore_transport_HTTP2/1.0'

Kif F 0 Reputation points
2025-12-12T00:23:20.7233333+00:00

Does anyone know what service is generating these logs on a GRS storage account? I'm assuming this is Azure backend replication, but these events only started happening less than 48 hours ago.

I've been looking at logs and this has been alerting due to coming from an unknown private IP address, based on key authentication, accessing what should be a restricted file share.

Below is the KQL query on the storage account logs

StorageFileLogs
| order by TimeGenerated desc
| where CallerIpAddress !contains "<Internal CIDR>"
| where AuthenticationHash !contains 'system-1'
| project TimeGenerated, AuthenticationType, StatusCode, CallerIpAddress, UserAgentHeader

These are the results, across a range of IPs. This screenshot shows 100.75.x.y, but there have also been 10.x.y.z IP addresses which don't belong to our internal network environment (either in Azure or otherwise).

Screenshot 2025-12-12 111805

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkatesan S 2,055 Reputation points Microsoft External Staff Moderator
    2025-12-12T01:36:00.0233333+00:00

    Hi Kif F,

    Thanks for posting question in Microsoft Q&A forum,

    Could you please extend your KQL query to include OperationName and StatusText fields?

    StorageFileLogs
| order by TimeGenerated desc
| where CallerIpAddress !contains "<Internal CIDR>"
| where AuthenticationHash !contains "system-1"
| project TimeGenerated, OperationName, StatusText, AuthenticationType, StatusCode, CallerIpAddress, UserAgentHeader

    Based on OperationName = GetShareProperties, StatusText = Success, the UserAgentHeader = services_xstore_transport_HTTP2/1.0, and the fact that the calls originate from private IP ranges (10.x.x.x, 100.75.x.x) using AuthenticationType = AccountKey, these logs are generated by Azure Storage internal backend services rather than by any customer‑initiated access.

    Key points:

    • GetShareProperties is a control/metadata operation used by the Azure Files platform to read share properties and metadata, and is commonly involved in health checks, monitoring and replication‑related workflows, especially on GRS‑enabled storage accounts.
    • The services_xstore_transport_HTTP2/1.0 user agent is associated with Azure‑managed storage infrastructure and not with typical client applications or OS‑level access.
    • Private IP ranges such as 10.x.x.x and 100.64.0.0/10 are used internally within Microsoft’s Azure network and do not correspond to your customer VNets or on‑premises ranges.
    • These operations legitimately use account key authentication as part of backend storage processes and consistently succeed (StatusCode = 200), which matches expected platform behavior.
    • The recent appearance of these entries is most likely due to changes or optimizations in Azure backend monitoring or replication logic and does not indicate a security incident.

    Reference:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.